Faced with rapidly growing cyber threats, organizational leaders, and government officials cannot reliably secure all data and digital devices for which they are responsible. The best they can do is conduct strategic risk management. That requires a systematic way to categorize potential attacks and estimate consequences in order to set priorities, allocate resources, and mitigate losses.

The 2018 U.S. National Cyber Strategy holds government officials accountable for doing cyber risk management based on the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework and recommendations from not-for-profit organizations such as the Center for Internet Security (CIS) and ISACA. Yet, none of these policy documents and best practice guides actually provide the necessary analytical tools. As a result, public agencies, private companies, and non-profit groups that try to do risk assessment often feel overwhelmed rather than empowered to make strategic cybersecurity decisions.

The Center for International and Security Studies at Maryland (CISSM) has developed an analytical framework that provides four essential building blocks needed to satisfy the principles in the NIST Standard Framework and other best practice guides:

1.A standardized system for classifying cyber threats and events by their effects.

2.Tools to associate organizational functions with IT topologies.

3.Algorithms to assess the severity of disruptive and exploitative cyber events.

4.A method to understand the integrated nature of risk across different parts of a simple organization, major divisions of a complex organization, or interconnected organizations in a complex system.

These building blocks can be combined in different ways to answer critical questions, such as:

•What is the range of cyber risks to different types of organizations?

•Which threats pose the greatest risk to a specific department or organization?

•How could an attack on one part of an IT network affect other organizational functions?

•What is the accumulated risk across a critical infrastructure sector or geography?

Using a comprehensive, consistent, and repeatable method to categorize and measure risk can enhance communication and decision-making among executives who make strategic decisions for organizations and their IT staff with day-to-day responsibility for cybersecurity. It can facilitate cooperation between public officials and private industry who share responsibility for different components of national critical infrastructure. It can inform media coverage and public debate about important policy questions, such as which decisions about cybersecurity should be purely private decisions, whether government should incentivize or mandate certain cybersecurity choices, and when a cyber attack warrants some type of military response.